Creating and Configuring a Threat Task

Important! When creating a threat task for use on agent machines, it is strongly recommended that you remove all other antivirus and antispyware programs that may be running on the agent machines. Using multiple threat programs on the same machine may cause serious performance issues.

A threat task is used to define a scheduled service that runs periodically on agent machines looking for threats. It defines when the agent machines will be scanned for threats, where on the machines to look for threats, and what techniques to use. A threat task can also specify whether an agent machine should be restarted if threats are detected and removed. When active, a threat task always searches for all types of threats including viruses, spyware, worms, rootkits, etc.

Do not confuse a threat task with Active Protection. A threat task runs on a scheduled basis, while Active Protection (if enabled) runs constantly and is continuously checking for malicious activity.

You can create multiple threat tasks for one agent policy. Each task can be expanded and collapsed using the chevron () that resides on the task title bar. This enables you to view just the task you are working on at any one time.

While there is no theoretical limit to the number of threat tasks you can create for an agent policy, there is a practical limit. For example, it may become difficult to track and manage a policy if it contains too many threat tasks. Also, you run the risk of multiple reboots occurring on one machine at the same time.

Note: What the agent does if it detects a threat is defined on the Threat Actions tab. See Specifying Threats Actions for details.

You configure agent threat tasks on the Threat tab. You can edit an existing threat task, or you can create a new task by clicking either Add a Quick Scan Threat Task or Add a Full Scan Threat Task. These two default templates are defined as follows:

Quick Scan:

Scan every weekday (Mon - Fri) at 1:00 a.m.

Scan only those locations commonly affected by threats

Scan for all threat types

Reboot immediately after removing threats (if a reboot is required to complete the removal of the threat)

Full Scan:

Scan only on Sunday at 1:00 a.m.

Scan all local drives and archived files

Scan for all threat types

Reboot immediately after removing threats (if a reboot is required to complete the removal of the threat)

After naming the threat task you can modify it as desired.

Tip: It is strongly recommended that you use a distribution server with any agent policy that contains a threat task. The threat definition file is rather large and using a distribution server to store the file will greatly improve the download performance for your agents.

Threat Task Schedule

The threat schedule specifies how often the task will run on a target machine. It allows you to regularly run the task at a specific time or using a specified recurrence pattern. A built-in scheduler will be provided for each agent. The scheduler will check for new threat data immediately before starting a scheduled threat task.

The agent scheduler will serialize executions of the same agent engine. For example, if you define a policy with two threat tasks that both start at 1:00 AM, they will not both start at 1:00; rather, they will be serialized (run back-to-back). If you have a threat task and a patch task both scheduled for 1:00 AM, however, they will both be started at 1:00 AM as they use different agent engines.

Hourly: Allows you to schedule the task to be run on an hourly basis.

Run every hh hours: You can specify exactly how many hours there should be between scans. Valid values are from 1 - 100 hours.

starting at this time: The first scan will begin at the specified time. Subsequent scans will be performed at the interval specified on Run every hh hours.

Daily: Indicates that the task will be run on the specified days, at the time of your choosing. For example, using this option a scan could be run every night at midnight, or every Saturday at 9:00 pm, or at 1:00 am the first Sunday of every month , etc.

Randomize scheduled time (minutes): Staggers the exact time the task will be performed so as not to overtax the console or distribution server with simultaneous requests to download patch files, scan engines, etc.

Run on boot if schedule missed: If a scheduled task is missed while a target machine is powered off, this option enables you to force the task to automatically run whenever the machine is restarted. The task will run immediately unless you enable the Delay after boot (minutes) check box, in which case the execution will be delayed by the specified number of minutes.

Threat Task Scan Options

The threat scan options enable you to specify what file locations you want the agents to scan, what additional areas on a target machine to scan, and whether to use advanced techniques when scanning for threats. Network drives are never scanned by the agents.

Threat Locations: Enables you to specify what file locations on a target machine you want the agent to scan for threats.

None (no file scan): No files will be scanned on the target machine. This does not necessarily mean that a threat scan will not be performed. Any additional areas you specify in the Threat Types section will still be scanned, and any advanced techniques you specify in the Threat Types section will still be performed.

Common Locations: Scan only those locations commonly affected by threats. This includes areas such as processes, critical Windows files, and other susceptible areas on your computer. This scan is typically quicker than a scan of all files on all drives.

System drive only: Scan only the system drive, typically C:\

All local drives: Scan all hard drives on the target machine, including external removable drives. This is a very deep and robust scan and may take longer to complete.

Exclude removable drives: Do not scan temporary drives such as flash, USB, or external hard drives.

Scan archived files (e.g. ZIP, RAR, etc.): Indicates if archived files will be scanned. If an archive file is found to contain an infected file, the infected file is removed immediately from the archive.

Threat Types: Enables you to specify what additional areas on a target machine to scan for threats (those areas being the temporary Internet folder for cookies, all running processes, and/or the registry). You can also specify what advanced techniques to use (Heuristic scanning and/or rootkit scanning techniques). Enabling any of these options results in a deeper and more thorough scan, but also a longer scan.

Select all that apply.

Cookies: Scan for cookies on the agent machine. This only applies to Internet Explorer.

Processes: Scan any running programs for threats. For example, if an Internet browser and an e-mail program are running, they will be scanned for threats.

Registry: Scan the agent machine's registry for threats.

Heuristic scanning: Scan for threats by looking at the internal characteristics of individual files to determine if it is possibly spyware.

Rootkits: On 32-bit systems, scan for software tools that are intended to conceal running processes, files, or system data from the operating system. Rootkits are not scanned on 64-bit systems.

Threat Task Reboot Options

The SafeReboot™ options enable you to specify whether or not to reboot machines after any detected threats are removed, when the reboot should occur, and how much control to give the users.

Note: Threats are considered to be removed if they are deleted immediately or if they are placed into the quarantine directory. See Specifying Threat Actions for details.

Never reboot: This SafeReboot capability specifies that it is unnecessary to reboot the machines after threats are removed. The remaining options on this tab will be disabled. As a rule, you should only enable this option when you are removing threats that you know do not require a reboot.

Reboot whenever threats are removed: This SafeReboot capability specifies that each machine should be reboot after the threats are removed. This is the safest option, but there may be times when machines are reboot unnecessarily.

Allow reboots (only when needed to complete threat removal): This SafeReboot capability specifies that the machine will be restarted if it is determined that a reboot is required in order to complete the threat remediation process. Use the Schedule reboot options to specify when the reboot will occur. If you do not want to reboot the machine following removal of threats, clear this check box. The remaining options on this dialog are made unavailable.

Schedule reboot: If you elect to reboot the machines after threats are removed, for those machines without users logged on you can specify when the reboot should occur. You can:

Reboot the machines immediately.

Reboot at a specific time.

Reboot at a specific date and time.

Note: If a target machine is rebooted before a scheduled reboot occurs, the scheduled reboot is no longer necessary and will be cancelled.

If a user is logged on: If you elect to reboot the machines after threats are removed, you can specify the amount of warning that a logged-on user will receive and you can choose the degree of control the user will have over the reboot process. You can:

Alert the user that a reboot will occur when they log off.

Elect to force a reboot after a number of minutes have passed.

Elect to force a reboot at a specific date and time.

Show a time-out countdown on the user's machine in advance of the reboot with a specified initial time-out value.

Allow the user to extend the time-out countdown up to a specified maximum. The maximum can be specified as either a duration or as a specific latest time that the reboot will occur.

Allow the user to cancel the time-out. If a time-out is cancelled the reboot will not occur until the user logs off or manually reboots the machine.

To preview the dialog box that the user will see, click Show Sample Countdown. For example:

Save and update Agents

Saves all changes to the policy file and stores it on the console. Also updates any agent machines that are currently assigned this policy as follows:

If an agent machine is online and configured to listen for policy updates, the updated policy will be pushed out to that machine immediately.

If an agent machine is online but is not configured to listen for policy updates, the updated policy will be pushed out the next time the agent checks in with the console.

If an agent machine is not currently online, the updated policy will be pushed out the next time the agent checks in with the console.

The Agent Policy Editor will be closed.

Cancel

Indicates you want to exit the Agent Policy Editor without saving your most recent changes. A "Do you want to save your changes?" prompt will appear that gives you a second chance to save your changes. If you click Yes the policy will be saved and the associated agents updated (the same as Save and Update Agents). If you click No the Agent Policy Editor will be closed without saving your changes.